International Atomic Energy Agency

Challenges and New Considerations in the Defence in Depth Concept

Presented by: Irina Kuzmina, SAS/NSNI, i.kuzmina@iaea.org

Contributors: P.Hughes, SAS/NSNI Head

A.Lyubarskiy, SAS/NSNI

56 IAEA General Conference - Side Event

CHALLENGES AND NEW CONSIDERATIONS FOR THE DEFENCE IN DEPTH CONCEPT FOR

NUCLEAR POWER PLANTS

19 September 2012

International Atomic Energy Agency2 of 19

� To provide information on the recent developments in the area of Defence in Depth (DiD) at the IAEA and elaborate on emerging challenges

OBJECTIVE OF THE PRESENTATION

HIGHLIGHTS

� Overview of an approach for holistic consideration of DiD (based on the paper presented at ANS PSA-2011 Conference)

� Emerging challenges for further development of the DiD concept

International Atomic Energy Agency3 of 19

Title of the Paper:An Approach for Holistic Consideration of Defence in Depth for Nuclear Installations Using Probabilistic Techniques

ANS PSA-2011 ConferenceInternational Topical Meeting on Probabilistic Safety Assessment and Analysis

• Wilmington NC, USA

• March 13-17, 2011

Authors: I. Kuzmina, M. El-Shanawany, M. Modro, and A. Lyuba rskiy International Atomic Energy Agency (IAEA)

International Atomic Energy Agency4 of 19

ILLUSTRATION OF DiD IN IAEA SAFETY REPORT #46

International Atomic Energy Agency5 of 19

SSG-2: POSSIBLE SUBDIVISION OF POSTULATED IEs

International Atomic Energy Agency6 of 19

AN EXAMPLE OF EVENTS AND ACCIDENTS TO BE CONSIDERED IN DiDEvent and Definition Frequency Range

Deviation – an event expected during the calendar year resulting in insignificant allowable change in plant parameters requiring adjustment by normal operation system

Mean frequency: 1 < F

Note: Deviations to be dealt with at Level 1 of DiD

Anticipated Operational Occurrences (AOO) - an event expected over the lifetime of the plant resulting in a substantial change in plant parameters due to malfunction or failures of normal operation system or external grid failures requiring operation of control systems to prevent reactor scram and/or engineered safety features actuation

Mean frequency: 10-2 < F < 1

Note: AOOs to be dealt with at Level 2 of DiD

Design Basis Accident (DBA) – an infrequent event leading to reactor scram, for which engineered safety features are provided by the design to prevent core damage (CD)

Mean frequency: 10-4 < F <10-2

Note: DBAs to be dealt with at Level 3 of DiD

Beyond Design Basis Accident (BDBA)

1) BDBA NOT directly leading to CD - an unlikely event, for which protection is not considered explicitly in the design, but which may be mitigated (CD avoided) due to the existing safety margins not credited in the design basis

Mean frequency: 10-6 < F < 10-4

Note: - BDBAs not resulting in CD can still be dealt with at Level 3 of DiD - BDBAs resulting in CD to be dealt with at Level-4 of DiD

2) BDBA directly leading to CD – a remote event representing a severe accident for which it is not demonstrated that CD can be prevented even considering the existing safety margins

Mean frequency: F < 10-6

Note: BDBAs directly leading to core damage to be dealt with at Level 4 of DiD

Design Extension?(SSR-2/1)

International Atomic Energy Agency7 of 19

Beyond Design Basis Accident (BDBA)

1) BDBA NOT directly leading to CD - an unlikely event, for which protection is not considered explicitly in the design, but which may be mitigated (CD avoided) due to the existing safety margins not credited in the design basis

Mean frequency: 10-6 < F < 10-4

Note: - BDBAs not directly leading to CD can still be dealt with at Level 3 of DiD

• Initiating events caused by multiple equipment failures (e.g. multiple failures of operational and emergency power supply buses)

• PIEs accompanied by multiple failures in safety systems (e.g. small LOCA with failure of all high pressure injection trains)

2) BDBA directly leading to CD – a remote event representing a severe accident for which it is not demonstrated that CD can be prevented even considering the existing safety margins

Mean frequency: F < 10-6

Note: BDBAs directly leading to core damage to be dealt with at Level 4 of DiD

• Reactor vessel rupture

• Prolonged total loss of all power sources

• Total loss of component cooling water

• Multiple reactor control rod ejection

EXAMPLES OF BDBA (from the paper at ANS PSA 2011 Conference)

International Atomic Energy Agency8 of 19

OVERVIEW OF EVENT TREE TECHNIQUE USED IN PSA

� Accident sequence – a chain of events linking the in itiator and possible consequences� Depending on the success or failure of the modellin g functions

� Main consequences considered in Level 1 PSA:� Plant safe state (OK), core damage (CD)

OK

CD due to loss of Function C

CD due to loss of Function B

CD due to loss of Function A

CONSEQUENCES

International Atomic Energy Agency9 of 19

CONCEPT OF DiD ILLUSTRATED BY THE EVENT TREE TECHNIQ UE

INSAG-12

INSAG-12

International Atomic Energy Agency10 of 19

CONCEPT OF DiD ILLUSTRATED BY THE EVENT TREE TECHNI QUE

International Atomic Energy Agency11 of 19

AN EXAMLE:US NRC considering a proposal for “risk-informed and performance-based concept of defence in depth”

International Atomic Energy Agency12 of 19

■ PSA used in the process of assessing compliance wit h DiD and determining the requirements for reliability of normal operation and safety systems, should be of sufficient scope and follow current state of the art in PSA technology

• A full scope PSA including all operational modes and events (i.e. internal initiating events caused by r andom component failures and human errors, internal hazar ds, and external hazards) is usually required

• A quality PSA should comply with contemporary PSA standards - examples are:�Recently issued IAEA Specific Safety Guides on Leve l-1 and

Level-2 PSA and Applications (SSG-3 and SSG-4, 2010 )

�ASME/ANS PRA Standard

■ An independent peer review is utmost important

REQUIREMENTS FOR PSA QUALITY

International Atomic Energy Agency13 of 19

� Peer reviews by teams of carefully selected independent international experts of Probabilistic Safety Assessments studies performed in MSs

� Conducted in accordance with the dedicated Guidelines

IAEA’sIPSART Service

International ProbabilisticSafety AssessmentReview Team

���� More than 60 missions performed

International Atomic Energy Agency14 of 19

EMERGING CHALLENGES

� Recognizing that DiD is not an absolute ‘panacea’:there will always be some events and accients that could challenge plant safety at different DiD level s• The consideration of frequency of events and

accidents is already implicitly or semi-explicitly included in the DiD concept (‘very unlikely’, ‘practically eliminated’, etc.)

• Should frequencies of different events and accident s be considered explicitly while determining the leve l of DiD at which they should be dealt with?�Clear requirements towards the frequency assessment should

be provided along with a robust consideration of uncertainties

�All hazards should be considered while defining the accident sequence frequencies

International Atomic Energy Agency15 of 19

EMERGING CHALLENGES (Cont.)

� Definition and understanding of DiD � Not only diversity and redundancy of safety systems

� Different perception of technical people to what Level of DiD plant systems are related to

� Reliability of first two levels of DiD� These are aimed at smooth plant operation and prevention of IEs

� Is regulatory control sufficient?

� DiD and design extended conditions (DEC)� The same or different requirements to DEC systems as to DBA-

related safety systems at Level-3 DiD?

� Capability of Level 4 of DiD� For operating NPPs, can we assure that containment and

containment systems are capable to confine releases following severe accidents with corium penetrated the reactor vessel?

International Atomic Energy Agency16 of 19

EMERGING CHALLENGES (Cont.)

� Consideration of SAMG within DiD� Should SAMGs be explicitly recognized as a necessary

element of Level 4 of DiD and get regulatory attention?� What should be requirements towards the systems to be

used in SAMG?

� Independence within and between DiD levels� What should be requirements regarding independence

between safety systems designed for DBA and design extension conditions?

� Independence of systems used in SAM needs to be addressed (e.g. injecting fire water to prevent core melt at Level 3 of DiD and in-vessel retention and ex-vessel cooling at Level 4 of DiD)

� Dependence on the same support systems may be difficult to eliminate at Level 3 and 4 of DiD

International Atomic Energy Agency17 of 19

EMERGING CHALLENGES (Cont.)

� Consideration of siting within DiD� Should siting and site protection features be explicitly

included in DiD?

� Consideration of internal and external hazards within DiD� Should protection against internal and external hazards be

explicitly included in the DiD structure? � Should this be addressed through the overall frequency of

IEs and accidents? Other approaches?

� Holistic application of DiD� Is DiD currently applied in a complete and structured

manner and formalized way? � Are all five levels always consistently considered?

International Atomic Energy Agency18 of 19

CONCLUDING REMARKS

� The approach presented at the ANS Conference can assist in:• Holistic consideration of all levels of DiD in conjunction

with deterministic and probabilistic safety goals a nd success criteria, and

• Defining requirements towards the reliability of normal operation systems and engineered safety features

� The international community is challenged to further develop the DiD safety concept reflecting operational experience and current state-of-the-artin nuclear safety to provide safety of present and future nuclear installations

International Atomic Energy Agency19 of 19

THANK YOU FOR YOUR ATTENTION